diff mbox series

[v2,08/17] efi_loader: read-only AuditMode and DeployedMode

Message ID 20200707031200.65511-9-xypron.glpk@gmx.de
State Superseded
Headers show
Series efi_loader: non-volatile and runtime variables | expand

Commit Message

Heinrich Schuchardt July 7, 2020, 3:11 a.m. UTC
Set the read only property of the UEFI variables AuditMode and DeployedMode
conforming to the UEFI specification.

Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
 lib/efi_loader/efi_variable.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

--
2.27.0
diff mbox series

Patch

diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index e3b29663a0..b84b86672a 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -183,32 +183,36 @@  static const char *parse_attr(const char *str, u32 *attrp, u64 *timep)
 static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode,
 					 u8 audit_mode, u8 deployed_mode)
 {
-	u32 attributes;
 	efi_status_t ret;
+	const u32 attributes_ro = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				  EFI_VARIABLE_RUNTIME_ACCESS |
+				  EFI_VARIABLE_READ_ONLY;
+	const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				  EFI_VARIABLE_RUNTIME_ACCESS;

-	attributes = EFI_VARIABLE_BOOTSERVICE_ACCESS |
-		     EFI_VARIABLE_RUNTIME_ACCESS |
-		     EFI_VARIABLE_READ_ONLY;
 	ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid,
-				   attributes, sizeof(secure_boot),
+				   attributes_ro, sizeof(secure_boot),
 				   &secure_boot, false);
 	if (ret != EFI_SUCCESS)
 		goto err;

 	ret = efi_set_variable_int(L"SetupMode", &efi_global_variable_guid,
-				   attributes, sizeof(setup_mode),
+				   attributes_ro, sizeof(setup_mode),
 				   &setup_mode, false);
 	if (ret != EFI_SUCCESS)
 		goto err;

 	ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid,
-				   attributes, sizeof(audit_mode),
-				   &audit_mode, false);
+				   audit_mode || setup_mode ?
+				   attributes_ro : attributes_rw,
+				   sizeof(audit_mode), &audit_mode, false);
 	if (ret != EFI_SUCCESS)
 		goto err;

 	ret = efi_set_variable_int(L"DeployedMode",
-				   &efi_global_variable_guid, attributes,
+				   &efi_global_variable_guid,
+				   audit_mode || deployed_mode || setup_mode ?
+				   attributes_ro : attributes_rw,
 				   sizeof(deployed_mode), &deployed_mode,
 				   false);
 err: